Top 10 worst cyber attacks of 2019

Top 10 worst cyber attacks of 2019

2019 is probably one of the biggest years yet filled with massive cyber attacks and data breaches throughout the year with millions, if not billions of people affected and their data breached and compromised by hackers and cybercriminals. Many big and small companies were victims of these cyber-attacks and a lot of individuals were also affected by the endless creation and spreading of new Malware and Ransomware by hackers.

Now that the year 2019 is almost coming to an end and we are looking forward to 2020, a start of a new decade, we thought it would be a good time to discuss some of the worst cyber attacks of 2019. These attacks range from data breaches, user account compromises, and even permanent data losses and they have affected people in large numbers ranging from a few thousand to a few billion.

Related: Top 4 Dangerous Android Malware discovered in 2019

The top 10 cyber-attacks of 2019 based on their impact and scale have been mentioned in this article. It will also discuss some of the security measures that could have been taken by these organizations to avoid these types of cyberattacks and recommendations to avoid them in the future.

Top 10 worst cyber attacks of 2019

Fortnite cyber attack


January 2019

What happened?

Fortnite became hugely popular in 2019, which also attracted hackers and cybercriminals to perform cyber attacks on the game. Back in January, Epic Games announced that they have discovered a bug in the login page of the app, which allowed hackers to log in to millions of player’s accounts and purchase in-game currency using the registered credit cards.

Hackers were able to exploit this bug in the login form and impersonate users who used third-party services like Facebook or Xbox Live to login to the game. Hackers then transferred their purchases to other Fortnite accounts that they control.


What could have been done to prevent this?

With a massive fan base and millions of active players playing the game every day, the developers behind the immensely popular game Fortnite should have been more cautious about any bugs or vulnerabilities present in their game, especially in a crucial page like the login page.

Players are also recommended to not use the same password they use for other services in Fortnite and to frequently change their passwords to avoid becoming the victim of such cyber attacks. cyber attack


March 2019

What happened?

The data breach is considered to be one of the biggest cyber attacks in the world with the private data of over 800 Million people getting exposed. is an email marketing company and it has apparently left a database with around 763 Million email addresses along with names, contact details, and addresses of millions of people publicly accessible and unsecured.

While the company immediately took down the database as soon as 2 security researchers informed them about it, chances are the database was already accessed by an unknown number of people during the time it was publicly accessible.

This massive data breach potentially opens the doors for numerous scammers and attackers to target specific individuals with phishing emails or Malware attacks. However, there were no passwords or social security numbers in the database which is a bit of a relief.

Related: Purelocker Ransomware: Working and evasion

What could have been done to prevent this?

Obviously, the organization to which the database belonged to could have been more careful about the visibility and the safety of their database, especially considering millions of people’s data was involved. They should have made the database as private and could have even encrypted all the sensitive information if it was feasible.

In the future, the organization could regularly check all their systems and databases to check their visibility status and whether or not they are secured with multiple security mechanisms and access control protocols to avoid such cyber attacks.

Facebook cyber attacks


April, September, November 2019

What happened?

2019 has been a very bad year for Facebook, mostly because of the numerous data breaches and cyber attacks that the organization had to encounter this year. The first data breach was back in April when around 540 Million records of user data including user names, Account ID, comments and likes were found on a public database uploaded to the AWS server. Some of these data also included location information from user check-in

There was another Facebook associated database in September, where a total of 400 Million phone numbers linked to Facebook user accounts of users from across the USA, UK, and Vietnam were leaked. This data was found on an unsecured databased that was publicly available and could have been accessed by anyone. Some of the information also included the account name of the user and user location.

cyber attacks

Facebook once again encountered a massive cyber attack this November when Facebook announced that around 100 third party app developers had improper and unauthorized access to information about Facebook users including their group member names and profile pictures. This was because of some misconfiguration with the Group API, which Facebook has since fixed and has restricted access to the third-party app developers.

Related: Malvertising: The most popular way to spread Malware

What could have been done to prevent this?

Facebook has faced a lot of heat this year from both users and the government and media for not protecting their user information even after repeatedly ensuring that they would be more careful. With billions of people actively using Facebook every month, Facebook should start taking user privacy more seriously and ensure that databases with confidential and private information are well secured and are restricted access to unknown people.

Facebook should also apply more security protocols and access control mechanisms and follow a proper security framework to ensure that its databases are secure and cannot be accessed by hackers or cybercriminals. Facebook has also announced that it would be tightening the security of its platform and would remove any illicit or suspicious accounts to avoid such incidents in the future.

MongoDB cyber attacks


March, May, and July 2019

What happened?

MongoDB, one of the most popular database management systems available today was the victim of multiple huge data breaches this year. Just like the data breach, an unprotected database was the reason for the MongoDB data breach as well. The first big MongoDB data breach of this year was back in March when more than 800 million email records were leaked in this data breach containing personal information including phone numbers, business leads, addresses and more.


Following this, in May there was another massive cyberattack that resulted in a data breach of a publicly available MongoDB database where over 275 Million records of Indian citizens were leaked containing personally identifiable information. Once again in September, around 188 Million records were exposed to a MongoDB database that contained information like names, gender, addresses and even details of family members.

What could have been done to prevent this?

The main reason most of the MongoDB databases got exposed is that most of these databases are left unprotected in public domains with no passwords or any other authentication mechanisms enabled. This allows the databases to be vulnerable and be accessible by anyone from a remote location. Sometimes an administrator might also change the security configuration of the databases as by default the databases are set to restrict the internet traffic.

So, the recommended steps that could have been taken to avoid such cyber attacks include, using complicated and unique passwords for different databases instead of using the default ones or reusing the same passwords. Adding new firewall rules and setup network configuration to filter out unwanted and unauthorized traffic from accessing the databases.

Toyota cyber attacks


February, March 2019

What happened?

Toyota faced two major cyber attacks this year, the first one was back in February, when Toyota’s Australian server was attacked by someone unknown entity, preventing its employees from accessing their emails from the internal server. Notably, this was the first time Toyota Australia has ever been a victim of a cyber attack. As a consequence of the cyber attack, Toyota employees were unable to provide an estimate of when the customer’s newly ordered vehicles would be delivered, due to the inability to access the central server.


Toyota was once again a victim of a cyber attack later the same year in March when the Toyota Japan systems were breached and data of several sales subsidiaries were accessed. This also included sales information of over 3 million customers.

What could have been done to prevent this?

It is unclear what exactly happened with Toyota’s cyber attack incidents as the company never really disclosed any detailed information related to the attacks However, the company announced that they would be conducting a thorough internal audit of all its IT systems to make sure that such incidents do not occur in the future.

Instagram cyber attacks


May, September 2019

What happened?

Instagram, one of the social networking services owned by Facebook, suffered the same fate as Facebook this year in experiencing multiple severe cyber attacks. With billions of active users, Instagram is a popular target of attackers and cybercriminals alike and this May sensitive information of over 49 Million Instagram users were found to be exposed by security researchers. This was because an AWS database with all this data was left unprotected online without a password for 3 days by a marketing agency in India.

cyber attacks

The leaked information also included personal details of numerous celebrities and influencers including their phone numbers, email id, location, and follower details. A similar kind of incident occurred in September, where a white hat hacker identified a database with the personal information and contact details of millions of Instagram users available online without any protection.

What could have been done to prevent this?

As mentioned earlier, the reason for this data breach is the AWS database with the personal information of the millions of Instagram users that were left unprotected. Since Instagram and its parent company Facebook have a massive user base, they naturally attract a lot of attackers to scan and identify any publicly available databases to be able to use for malicious purposes. So, it is highly recommended that such companies do not leave massive databases such as these without any authentication mechanisms even for a limited amount of time, even though it is convenient in certain instances.

Capital One cyber attack


July 2019

What happened?

Capital one, a banking company specializing in credit cards, witnessed one of the biggest cyber attacks in history back in July when they detected a hacker has gained unauthorized access to over 100 million credit card customer’s personal information including their social security numbers, bank account details, transaction information and also their payment history among other information.

The hacker was able to gain unauthorized access to the company’s server by exploiting a vulnerability in a web application firewall. The individual was later found out to be a former employee of AWS, the cloud service used by Capital One.

capital one

What could have been done to prevent this?

Capital One is one of the largest banking organizations in the US and given that they primarily handle sensitive and confidential information of millions of users, it is highly important that they regularly scan all of their systems for any known vulnerabilities or problems and apply patches immediately to avoid any such incidents in the future.

Hostinger cyber attack


August 2019

What happened?

Hostinger is one of the biggest web hosting service providers and they suffered a massive cyberattack this August when they discovered someone has gained unauthorized access to their database containing information about millions of their customers. The database contained over 19 million customer’s personal information including their usernames, passwords, and email addresses.

cyber attacks

What could have been done to prevent this?

The Hostinger cyber attack was due to a vulnerable system present in their internal environment and a hacker was able to exploit the vulnerability and gain unauthorized access to their database in their RESTful API server. The company could have prevented this cyber attack by properly investigating their systems and patching any vulnerable ones and ensuring that there are no unnecessary access tokens present in their servers that would allow anyone to access their internal systems.

OnePlus cyber attack


November 2019

What happened?

Over 40,000 customers of OnePlus were affected when the company was hit by a cyber attack this November. OnePlus’s servers were attacked and hackers have made fraudulent purchases using the credit card information of several customers.

The company immediately stopped all of its payment channels for purchases on its online store with the exception of PayPal, following this cyber attack. While the company was not able to find the exact cause of this attack, but it is suspected that this might be an insider attack.

cyber attacks

What could have been done to prevent this?

To avoid insider attacks, companies generally have a strict screening policy when hiring employees responsible for the security of their companies. In this case, OnePlus could have restricted access to their servers to their employees and should have had strict protocols in place to authorize employees who needed access to the servers with confidential information. This access control protocol could have played a major role in preventing such cyber attacks.

Disney+ cyber attack


November 2019

What happened?

Disney+, a brand new streaming service launched by Disney this November, immediately became the target of hackers when they hijacked thousands of user accounts and attempted to sell the login details on the black market for a cheaper price than the subscription cost of Disney+. The hackers essentially logged into these user accounts, changed their account passwords and logged them out of all their devices thus disabling access to their accounts.

cyber attacks

What could have been done to prevent this?

As opposed to the other cyber attacks in the list, there is actually very little Disney could have done to prevent the attack on their user accounts and hackers hijacking thousands of user’s accounts. This is because the attackers might have followed multiple ways to gain access to user accounts ranging from using brute force methods to guess their passwords to using the leaked passwords found in several leaked databases.

Related: Cyborg Ransomware spreading via fake Windows update

This is possible because most users reuse the same password on multiple services and to avoid being affected by such attacks in the future, the users could use unique and complex passwords for all their services and also change their passwords frequently.

9 tips to stay safe online during Black Friday & Cyber Monday

9 tips to stay safe online during Black Friday & Cyber Monday

Black Friday and Cyber Monday are almost here and so are awesome deals in almost all of your favorite online stores. There are lots of obvious advantages to shopping online in your favorite websites especially during the holiday season, like skipping the queues and browsing through an unlimited catalog of products.

However, there are also a few disadvantages and dangers to it. The major one of them being hackers and cybercriminals who are waiting to target the millions of people trying to buy their favorite products online and steal their data or scam them.

The cybercriminals take advantage of a huge volume of target audience trying to spend their money during this holiday weekend and entering their credit card details in a hurry so as to buy something before the deal ends, sometimes without even verifying the integrity of the website.

So, in this article, we will first discuss the ways which cyber criminals generally use to trick the users into stealing their data like their credit card information or contact details or scam them by making them pay money to a product that doesn’t exist. We will then discuss 9 tips that would help you to stay safe online during this Black Friday and Cyber Monday sales.

Common ways used by cybercriminals for scamming and stealing user data


Phishing attacks


Phishing attacks are probably the most common way used by cybercriminals and hackers to steal user data. They mainly involve in sending an email to the target user and use some sort of social engineering to lure the user into providing details about him which might later be used against him.

For instance, the attackers might send an email that says that your password for a particular account has been compromised and click on the link in the email to reset it. But once you click the link and enter your old password for resetting it, the attackers will now have access to your password.

Spoofing of popular eCommerce websites

One more way used by cybercriminals to scam people is by creating a fake version of popular eCommerce sites like Amazon and eBay and then spreading the links to these fake sites to the target users.

These sites might look very similar both in looks and functionality to the legitimate versions but will have slight differences in the name of the URL or the product catalog. Most of these sites will also lack an SSL certificate which is necessary to make secure online transactions.

Posting malicious links in social media

Hackers also use social media sites like Facebook and Twitter to spread malicious links to popular eCommerce sites. While these links might actually redirect you to the official websites sometimes, they are usually injected by some form of Malware.

This means that once you click on these links and purchase something from the site using your credit card information, the details would be sent to the attacker.

Affecting your system with Malware


While this method is not commonly used for scamming the users, it is a very popular way incorporated by the cybercriminals to steal confidential user data like credit card information, security questions, passwords and so.

They usually involve in installing a program called Keylogger into the target system of the user and this program will then record each and every keystroke of your computer and will forward this data to the attacker. He will now have access to all your confidential information, including your passwords and can practically do anything with this information.

Related: Cyborg Ransomware spreading via fake Windows update

Now that we have seen some of the most common ways used the hackers and cybercriminals especially during the holiday season, we will now discuss the ways you can protect yourself from getting scammed or losing your personal data. So, here are 9 tips to stay safe online during Black Friday & Cyber Monday.

9 tips to stay safe online during Black Friday & Cyber Monday

Update all the software

The first and the most important tip to stay safe online during your shopping spree this Black Friday is to make sure all the software on your mobile, PC and any other device you might use for online shopping is updated to their latest version.

This includes your operating system, any password managers you might use and especially your browser apps. This is because older versions of software might be vulnerable to a number of attacks and you might get into the danger of these vulnerabilities being exploited by the attackers.

black friday

If you are using any kind of extensions on your browser, it is recommended that you update those to the latest version as well. Hackers and cybercriminals would be actively looking for entry points and vulnerabilities in the target devices to compromise your device and steal your personal information.

So, it is absolutely essential that you stay as safe as possible and do not have any kind of vulnerable software installed on any of your devices.

Use two-factor authentication wherever possible

Make sure you set up the two-factor authentication feature on all your accounts and sites, at least on the ones that have that option.

In a worst-case scenario when your data has already been compromised and an attacker is trying to access your accounts by logging in using the information he stole from you, a two-factor authentication setup in place will certainly be useful in warning you that someone besides you is trying to access your account.

black friday

In that case, you can know that your passwords have been compromised and can immediately change your password and take other necessary measures that you stay safe.

While there are advanced attack mechanisms where hackers could even get access to your two-factor authentication code, that is a rare possibility and it wouldn’t hurt to enable an extra layer of security for all your accounts.

Use Antivirus software and a browser plugin

Having a good Antivirus software setup on your computer and all the other devices that you might use to do online shopping is always a good way to ensure that your computer is safe from virus or Malware and the websites you are visiting is not malicious or have not been tampered by any attackers.

Many popular antivirus software also comes with a corresponding browser plugin that scans the websites you are visiting and lets you know if they have been compromised or are not secure so that you can avoid shopping on those websites.


Use ad blockers on your browser

While ad blockers generally affect the revenue of many genuine websites as most of them depend on advertisements for a major part of their income, they also help you in blocking malicious advertisements and advertisements on certain sites which might redirect you to a harmful site or try to install Malware to your system or compromise your data.

So, even if you don’t generally use an ad blocker on your browser, it is recommended that you use a good ad-blocking plugin on your browser both on your PC and mobile to stay safe during this holiday weekend on Black Friday and Cyber Monday.

ad blocker

Most Android smartphones come with Chrome browser installed as default, which unfortunately doesn’t support ad blocking extension on the mobile version. So, if you want to use your mobile browser for shopping instead of apps, you can try using Opera or Mozilla Firefox temporarily or any other browser app that supports ad-blocking extension.

Beware while downloading shopping apps and using them for shopping instead of your browser as attackers might upload fake versions of these apps to the app store as well to try and scam the users.

Check the URL of the website and presence of SSL certificate

Whenever you are visiting a website by clicking on a link shared by someone or some link you found on social media or sent through mail, there is a high chance that the link might not be a legitimate website or might redirect you to a malicious site set up by attackers in an attempt to scam you or steal of your data.

In such cases, you can verify whether the website is actually safe and secure or is harmful by clicking on the ‘lock’ icon on the corner of your browser’s address bar.

black friday

This can be done on both PC and mobile phones and once you click on the ‘lock’ icon you will be displayed information about whether the site you are currently on is secure or not by the presence of an SSL certificate. If you find out that a site is not secure, then it is highly recommended that you do not use this site to do your online shopping.

It is also recommended to check the URL of the website before you proceed with the payment because sometimes attackers might even install an SSL certificate to their spoof websites, but they cannot get the same domain name as of the legitimate versions of the websites they are trying to spoof.

Avoid clicking on unknown or shortened URLs and links

Some of the attackers use URL shorteners to mask their malicious links and share them to social media or spread them through emails, hoping someone would click on them and visit their website. While these links might look genuine, they are most probably not and are just an attempt of the attackers to scam you and steal your information.

So, if you see any links for some awesome deals that are too good to be true, more often than not they are probably that. So, it is best practice to directly visit the website you want to do your online shopping on manually and then search for the deals yourself instead of clicking on random links you find online.

Related: Malvertising: The most popular way to Spread Malware

Enable alerts on your credit cards and banking apps

While it is generally a good practice to enable spending and transaction alerts on all your banking apps and credit cards, it is especially necessary to do that during this holiday season. Because chances are your card or bank account details are already compromised and you are not even aware of it and some cybercriminal or hacker is using your details to make online purchases.

So, if you enable these alerts you can immediately know if someone is using your cards to make payments without your knowledge and you can temporarily block or disable your card to avoid losing more money.

It is also recommended that you transfer any additional funds you might have on your primary bank to a secondary account during this holiday season to avoid any unnecessary incidents like this from happening on Black Friday and Cyber Monday shopping.

Avoid unknown or insecure internet connection

You might be tempted to use any internet connection you might get your hands on this holiday season to grab that deal before it ends, but it is generally not advisable to do that.

This is because if you are using any unknown or insecure internet connection to connect your device to the internet and do your Black Friday or Cyber Monday shopping, you might not realize that the network you are using might be compromised or be monitored by an attacker.

black friday

Using advanced network monitoring tools combined with some other attack mechanism, a cybercriminal or a hacker might be able to gain access to your passwords, credit card information or even compromise your system and install Malware in it.

So, it is always recommended to use your personal internet or home internet connection when you are doing sensitive tasks like shopping online using your card details.

Update all your passwords

Password breaches and account compromises are happening almost every day these days and chances are that your account is already compromised by some hacker and your password is out there.

If you are someone who uses the same password for all or most of your accounts, then it is highly recommended that you change your password immediately. If your password is compromised, then an attacker could easily gain access to all your accounts, especially if you use the same password everywhere.

So, update your password across all your accounts and if you think it would be a difficult and time-consuming task to come with multiple new and complicated passwords, you can use some of the popular password manager software out there to help you.

Password managers not only help you to generate complicated passwords for all your accounts but also store them safely and sync them across your devices, so you don’t need to remember lots of long and complicated passwords.

Have a safe Black Friday and Cyber Monday

I hope that these tips would help you to stay safe online this Black Friday and Cyber Monday and to do your online shopping and get your favorite products without getting scammed by some hacker or cybercriminal or losing your data or money.

If you know any other tips for safe online shopping, let us know in the comments section below.

Malvertising: The most popular way to spread Malware

Malvertising: The most popular way to spread Malware

Malvertising, formally known as Malicious advertising is one of the most popular ways which attackers and people with malicious intent use to spread Malware to targeted systems. Infact, 1 in every 100 advertisements you see online is a Malvertisement injected by Malware.

The attackers basically uses online advertisements in the websites you visit to deliver different kind of Malware to your system. The worst part about this method of spreading Malware is that it requires almost no interaction from the user to affect his system.

How Malvertising works:

Malvertising attacks generally begin by the atackers submitting some kind of malicious advertisement in the form of text, image or a video to the advertising agencies. This malicious advertisement might be delivered to the users visiting the websites associated with these advertising networks and they often appear in the form of legitimate advertisements.

Related: Cyborg Ransomware spreading via fake Windows update


Most of these Malvertisements come in the form of pop up ads or flashy warning or alerts that attract or scare the users into clicking them immediately. This might even be a warning message saying that your browser has been infected by a Malware and click here to remove it, ironically. So, in a way these attackers also heavily rely on social engineering for spreading their Malware, however some of them do not even need any kind of interaction from the user to get downloaded to his system.

So, once you click on a Malvertisement in the website you just visited or sometimes when you just load a webpage that contains a malicious advertisement, the following things happen.

Related: Purelocker Ransomware: Working and evasion

  1. The malicious code embedded into the malvertisement will now get executed and the Malware will be installed on the target system.
  2. The user might get redirected to a malicious website which hosts the Malware.
  3. Redirect you to a fake version of an official website to trick you into gathering your personal and confidential information.
  4. Try to exploit your browser using any existing vulnerabilities and install any toolbars or malicious extensions.

Tips to protect yourself from Malvertising:

In General, a proactive nature is highly essential to protect yourself from getting infected by a Malware and the consequences. The following are some of the tips which you could follow to save yourself from a Malware attack.


  • The most common Malvertising attacks occur is through your web browser. So, it is important that you keep all your browsers and the software that connect to the internet updated to the latest versions at all times.
  • Try using an ad blocker on unknown sites to prevent pop up and redirect ads.
  • Use an anti virus program and corresponding extension on your browser to scan and eliminate any malicious files and to block the downloads of Malware to your system.
  • Resist yourself from clicking on suspicious ads or links and make sure not to open any links or emails sent to you by unknown source or untrusted sources.
  • Check your list of installed programs and browser extensions regularly and uninstall any unnecessary ones.

Worst comes to worse, after taking all these precautions you might still be a victim to a Malvertising attack. So, it is always better to keep a local backup copy of all your important files.

Related: Top 4 Dangerous Android Malware discovered in 2019

This will help you to restore all your data in case of a Malware attack when you can just format your entire system and restore your data and start fresh and simply hope that you would be safer this time.

Let us know in the comments below what you know about Malvertising and If you know any other tips to prevent a Malware from infecting your device.

Cyborg Ransomware spreading via fake Windows update

Cyborg Ransomware spreading via fake Windows update

Cyborg Ransomware is the latest Ransomware that has been identified by researchers to target Windows-based systems and it is currently spreading through fake emails about a Windows update with the subject line that reads, “Critical Microsoft Windows Update!”. 

Cyborg Ransomware

The email poses as a one that has been sent by Microsoft is clearly fake which could be easily identified by the improper formatting, lack of official headers or logos and also the fact that Microsoft never sends critical updates over email to its users.

The Ransomware is embedded into the fake update attachment included in the email, which is apparently an executable file with a .jpg extension. The file has been given a randomly generated name and its approximately 28KB in size. The executable file’s purpose is to deliver a Malware to the target system, which according to the code of the Cyborg Ransomware is another executable file downloaded from GitHub.

Also Read: Purelocker Ransomware: Working and Evasion Techniques 

How the Cyborg Ransomware Works:

As mentioned earlier, the main part of the Cyborg Ransomware is the attachment sent in the fake Windows update email. Once the victim of the targeted system clicks on or opens the attachment in the email, it will download an executable file containing the malware from the GitHub website. The file that was downloaded was named as bitcoingenertor.exe and it was supposedly downloaded from the account misterbtc2020, which has now been removed from GitHub.

Once the Cyborg Ransomware embedded in the file bitcoingenerator.exe has been downloaded to the targeted system, it will then start encrypting all the data files in the victim’s system and add the extension .777 to the encrypted files. The memory dump of the Ransomware file with the list of file extensions to encrypt is given below.

Cyborg Ransomware

Once all the data files in the target system have been encrypted by the Cyborg Ransomware, it then leaves a ransom note in the form of a text file named, Cyborg_DECRPT.txt on the desktop of the target system. The Ransom note instructs the victim to send a Ransom of $500 in the form of bitcoins to the provided wallet and to send an email to the provided email id to be able to get the decryption key to decrypt all the files in the victim’s system that has been encrypted by the Cyborg Ransomware.

How to protect yourself:

While the most common way the Cyborg Ransomware is currently spreading across Windows systems is through a fake email prompting the targeted users to install a critical Windows update by sending an attachment, there are also other ways through which the Cyborg Ransomware might make its way to your system.

Basically anyone who gains access to the Ransomware builder file from the GitHub repository or from other means could build their own version of the Cyborg Ransomware and then either embed it to an attachment and send it to you as an email with different contents or even attach it to a link and attempt to spread it through malvertising methods.

Either way, it is important that you protect yourself from these kinds of Ransomware and it is always recommended that you regularly backup all your important files and keep both a local copy and a one stored in the cloud. Also, do not click on any attachments or open emails from suspicious senders or visit shady websites that might be a target of malvertising.

Even Microsoft has released an official set of guidelines and preventive measures you could take to stay away from the Ransomware. You could view those guidelines here.

Purelocker Ransomware: Working and evasion

Purelocker Ransomware: Working and evasion

Purelocker Ransomware is the latest Ransomware in town and it seems to be designed to specifically target production servers at the enterprise level. The Purelocker Ransomware was detected last week by researchers at Intezer and IBM X-Force.

Upon analysis, they have identified that the Ransomware has been used by Cobalt Gang and FIN6 among other threat groups mainly targeting Windows and Linux based servers. The name Purelocker has been assigned to this Ransomware as it has been written completely using a programming language called Purebasic.

Purebasic is a pretty uncommon programming language but the choice of this particular language by the attackers has to do with the fact that the code written using Purebasic is compatible across multiple platforms like Windows, Linux, and macOS, making it easier for the attackers to target multiple operating systems at once.

Also, since the Purebasic programming language is not that common or popular, the Antivirus companies are finding it difficult to generate reliable and accurate detection engines and signatures to be able to detect the Purelocker Ransomware. This is also part of the reason why the Ransomware went undetected even after being active for several months.

Detection process:

According to the researchers, the initial process involved in analyzing a Windows Sample of the Purelocker Ransomware and they have identified it to be a 32-bit DLL file which was posing as a C++ based cryptography library called Crypto++. The researches become suspicious as some of the functions in the library were related to music playback and controls.


Evasion Techniques:

As mentioned earlier, the Purelocker Ransomware managed to stay undetected by popular Anti Virus engines for the first few weeks after its attack. The attackers managed to stay under the radar by using the Purebasic programming language to write the ransomware instead of using some popular programming language which is widely popular and has several detection signatures already available.

Also, the attackers behind the Purelocker Ransomware has programmed it so that it will only begin its execution in its target attack system after ensuring that it is not being analyzed or used for debugging by anyone. If that is not the case, the Ransomware would automatically exit itself from the target system, without even deleting itself.

The Ransomware also executes from the regsrv32.exe, so it verifies that it is indeed executed by the process, and also that the current year on the target system is 2019 and that it has administrator rights on the system. If any of these checks fail, the ransomware would immediately exit the system as mentioned above, so as to not leave any traces of its functionality or working.

Working of Purelocker Ransomware:

Once the Ransomware performs all the verification checks on the target systems and if it gets the desired results, it will start working by first encrypting all the files on the target system with the AES+RSA combination using a hardcoded RSA Key.

The Ransomware mainly executes the data files on the system with .CR1 extension and it mostly ignores the executable files in the target system. It then proceeds to delete all the originals of the files it has encrypted to prevent the user from performing file recovery. Finally, it leaves a ransom note as a text file in the user’s desktop with the name, YOUR_FILES.txt.


While, a traditional Ransomware includes the information about how much Ransom the attackers want the victims to send to them and the means to send that, which is typically a bitcoin-based transaction, the attackers behind the Purelocker Ransomware has instructed the victims to contact them via email instead.

They also seem to use an anonymous and encrypted email service provider for this purpose with different email addresses for each of the victims. Once the attackers communicate with the victims and get their desired ransom amount, they then send the decryption keys to the victims using the same email addresses they have provided for contacting them.

Unconventional ways of Purelocker Ransomware:

Right from using an unconventional programming language like Purebasic to code the Ransomware, its evasion technique, and even the way the Ransomware functions and collects the Ransom from the victims, it is clearly evident that this is different in a lot of ways from the Ransomware that usually are talked about in the news.

This clearly shows that the attackers behind this Ransomware are rapidly improving and innovating the ways they use to perform targeted attacks. Therefore, it is important, now more than ever, for us to focus more on the security of our systems and try to be as safe as possible with our data and devices.